Ransomware is out to get you…..r Backups!

In recent years ransomware has become a very lucrative business, with some state-actors militarising them or using them as new revenue streams. Any article you read about preparing for ransomware will tell you that there are mainly two things to do:

Prevent - invest in employee awareness, hire pen-testers to test their awareness etc.

React - once ransomware has breached your perimeter and spreads through the

organisation, the speed in which your IT team can react is translated to a minimised business impact.

But cybercriminals read the same articles, and are constantly evolving. One of their weapons is attacking the backup, encrypting it so you can’t use it against them, with some corrupting backup files (e.g. WannaCrypt0r) and others attacking the backup files of MAC’s Time Machine or Windows Volume Shadow Copy Service (VSS).

How should organisations prepare for the day of the attack?

In my previous blog post I’ve already discussed the role of snapshots in identifying an active ransomware attack, and how they can offer optimal recover without having to move terabytes of data back from your backup target.

However if attackers are actively researching ways to corrupt backups, it’s safe to assume they are also looking at the possibility of deleting snapshots too, and we need to proactively plan for that day, as no one wants to be the first to discover their snapshots were deleted by the latest strain of ransomware (probably called WannaSnap…).

At this point many customers will ask why not fall back on detached backups ? why take a chance with online backups in such a scenario ? Time to recovery is the main driver here. A business having to recover large volume data from tape will take too much time to recover, directly affecting their customers and revenue.

It’s also a question of recoverability, as tape backups are not always recoverable (to put it gently), with some customers reporting only 94% of their backups are recoverable on the day of the backup and a clear decline in recoverability over time.

Can online backups be protected from ransomware ?

The short answer is Yes!. Proper security mechanisms have to be put in place to allow converting a snapshot to a Write Once Read Many (WORM) snapshot, that can’t be modified or deleted until it reaches a predefined point in time and its lock expires. At the same time, we want the snapshot to remain fully functional, and maintain all its original capabilities:

Recoverable (in all cases, not just ransomware)

Data copy management - allow creating writable copies from the snapshot for test & dev

Accessible for users - In NAS, WORM snapshots should still be accessible through the .snapshot / .ckpt hidden folder for end-user recovery

Other use cases

WORM snapshots can also serve other use cases:

Human error protection - humans are the root cause of most IT failures. Adding safeguards against the tired admin is always a good practice. Snapshots can locked to prevent accidental deletion before the end of their retention policy

Legal hold - In some legal scenarios, data needs to be kept accessible for a long time to protect relevant evidence, allow proper discovery etc. locking a copy of the data is a great way to maintain access over time, and if needed the lock can be extended as needed.

The WORM is long

Everyone who ever worked with WORM solutions is familiar with that one story about that one storage admin who accidentally locked a large dataset for too long (I have personally seen a dataset locked for 70 years, thankfully not by me...). This results in a huge expense to the company, which is sometimes rewards the employee with a nice cardboard box to place his/her belongings. To protect from this, WORM solutions should provide safeguards against unreasonable retention times. These should be configurable to meet the use case, as financial customers often keep data for 7 years, while hospitals may keep them for 80 years.

Introducing SnapSecure

SnapSecure is part of the latest announcement from INFINIDAT, and as always if available to all our customers under support contract as a free upgrade (I’ll write soon about the philosophy behind not having licenses). SnapSecure allows storage administrators to set a retention time on the snapshot, deletion / modification of the data but still retaining all the capabilities of a snapshot mentioned above.

Since all access to InfiniBox is through the API, and the API prevents any modification, even if the ransomware was able to jeopardise admin credentials, it won’t be able to corrupt or delete any of your backups. This means you can rely on them to recover your data in less than a second and regain business operations quickly.

For the ‘legal hold’ scenario. , when looking at an expired WORM retention, the admin must be able to tell if the data is still retained ‘as original’ (has not been in any modified) or if users have been given access to it and may have made changes. This is made easy with SnapSecure, as snapshots now fall under one of 3 categories (see screenshot below):

Locked - Snapshot can’t be changed / deleted - closed padlock

Expired - the snapshot’s lock has expired but the data was never modified - open padlock.

Data was never locked, or it was locked but since it has changed - no symbol

​

Screenshot 1: Snapshots in different WORM states

That allows administrators who want to extend the legal hold on a snapshot the ability to be sure the data was never tampered with, during the time it was unlocked.